Hi
I suspect a former employee of the company I work for still have access to the servers, in fact I’m sure he does. When he left the company in December he neglected to remove his personal files from one of our servers. I contacted him and made him aware of it. When I checked the folders I saw that the files where no longer there.

Doing a search on the hard-drives for files modified over that period revealed that the folders have been modified by a user (it’s just a string of numbers - not the domain\username as what it normally looks like). I've send the number to our IT department, and they just shrugged and said the user account that does not exist. According to the date the folder was accessed by this user account, it was some time in the evening, when I know nobody else would’ve have been connected to that server.

This all happened in the past 2 days.
My question: where do I go to get more info on this user account? Is there a log kept that shows the user and what action was taken?

The machine is running Windows Server 2003 SP1. I remote connect to it.

Thanks for your question. I suggest trimming some of the background in your intro, since it isn't really relevant to the basic question, and adjusting the focus of the question, in light of Rory's answer. Trying to track an admin account or rootkit is quite different than tracking a user account. See also the discussion at How can TOCTTOU vulnerabilities within the Windows OS be mitigated?
–
nealmcbMar 24 '11 at 16:08

2 Answers
2

My question: where do I go to get more info on this user account? Is there a log kept that shows the user and what action was taken?

My thought - what is your purpose in collecting the information? How and what you do next, has a lot to do with what you want to have happen. Here's my thoughts of optional outcomes:

Prosecute him - at this point, he is an attacker causing palpable harm to your company. You do have the right to investigate legal actions, and even if nothing harmful has happened yet, you may want to reserve the right to act in the future. If this is the case, you want to consider this the area of digital forensics. To prosecute computer crimes, you need a solid chain of evidence and careful evidence collection is critical. To do that, start getting management, lawyers and a professional forensic team involved. Do not mess with the machine. At all. If you can, disconnect it from the network, and see about the options for building a clean replacement system on separate hardware.

Recover from anything he did - "anything" is a big area. Chances are good that you will not get everything. If he can get to one server, there's a decent chance he can get to others, and if he's knowledgeable about your infrastructure, you have a rough task ahead. I don't think the machine's log file is going to help much. Someone's going to have to back up, look at the employee's set of access codes, work assignments, responsibility areas, and places he may or may not have had access to. This is going to have to happen at a sysadmin level - hopefully in your infrastructure it will take admin level rights to plug these holes and recover the systems.

Lock out his access - I'd still recommend rebuilding the environment, if you suspect only a small compromise. Back doors and holes are easy enough for an insider to install, that I'd recommend a rebuild.

self enlightenment - i.e., you're not really concerned with all the security ramifications, you're just curious about the tech - I'm afraid I'm not enough of a Windows admin to tell you more than the obvious, which you've already tried. Depending on your system configuration, there may be other access logs - the remote system you use to login may log information elsewhere, if there's a VPN, that may have access logs, etc. A high end security system might have offline backup with added integrity and access controls - but it depends on how your system has been configured.

To answer the aside - it’s not blackmail if you offer to assist is it?

It is blackmail to demand or receive a valuable thing by offering not to inform against
anyone who has violated federal law (18 U.S.C. § 873).

From there, the particular words you used are likely to be a factor in whether your offer for mutual aid could or could not be interpreted that way.

I can tell you that at least in my company, my bosses would be pretty irate if I handled things the way you have. But I work in a company with a very strict and well-defined security policy. If I suspected a breach, my job as a member of the company would be to bring it to enough attention to get the breach fixed by the company - including IT, legal and the chain of command in management. Taking it upon myself to offer a former employee access to his personal files and clean up of security holes left behind is WAY beyond the scope of things I'm allowed to do as a run of the mill engineer. Personally, I'd expect extra smacking around, because I've had a lot of training in this stuff, and I can't really claim that I'm a novice or an unenlightened non-security nerd.

That said - I work in a huge company with a huge stake in good security practices - failing to enforce a strong security paradigm is not only a risk due to the potential loss of information or functionality from breaches, having a security breach go public would be damaging to our corporate reputation.

Your mileage may vary - if you work in a small startup with a low profile and not in the security industry, your company may be totally OK with what you've done.

Either way, my best piece of advice would be to get your direct management involved ASAP. Even if they don't understand the technical situation of the former employee's security breach, they should (in writing) show their approval or disapproval to your way of handling the situation up until now.

Thanks, you've answered my own personal concerns as well. I'm not proud of the way I handled the situation. In hind sight, even though I was frustrated with users yelling and blaming the new guy, I should have not handled it the way I have.
–
user1837Mar 25 '11 at 6:09

Glad to help. As they say - hindsight's 20/20 - I'm sure I have plenty of regrets too. The hardest part about engineering is often this people stuff. :)
–
bethlakshmiMar 28 '11 at 14:55

If he was a sysadmin, you can no longer rely on anything on that box, as he may have had the capability to change anything.

You should escalate this to your IT or incident response team - the damage may not be confined to them just deleting evidence, a sensible precaution may be to wipe and rebuild the box, depending on its sensitivity.

If you have backups or audit logs, the incident response team should request them to be preserved. You should list a timeline of everything that was done, including all emails with the individual etc.

The incident response team should also be able to get the correct individuals involved to look at the legal standpoint - it may or may not be worthwhile progressing with an investigation, but that is a business call, not an IT call.